Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I don't want to format my drive. Please help me fix


  • Please log in to reply
14 replies to this topic

#1 pkritsada

pkritsada

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 24 July 2009 - 11:04 PM

Every time I open any program the Windows will show error about "COMRes.dll"
I think I have a problem about trojan.
I have scan my PC by GMER and found this.
I don't want to format my drive. Please help me fix




GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-24 19:56:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A551500 pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [897C1984] NDIS.sys[.reloc]

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rzqectlsy <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 24 July 2009 - 11:30 PM

Please download Malwarebytes Anti-Malware (v1.39) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#3 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 26 July 2009 - 02:29 PM

Thank you for your help.
This is the log from Anti-Malware Scan.
What should I do next. I still cannot open any program without COMRes.dll warning, --> " This application has failed to start because COMRes.dll was not found. Re-installing the application may fix this problem " .



Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

27/7/2552 0:46:41
mbam-log-2009-07-27 (00-46-41).txt

Scan type: Quick Scan
Objects scanned: 127651
Time elapsed: 2 hour(s), 23 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 70
Registry Values Infected: 34
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\RDHO94385.dll (Trojan.GamesThief) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCAPP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCMSCSVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCNASVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCPROXY.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCSHIELD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCSYSMON.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFSRV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naprdmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rssafety.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrUpdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcinsupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udaterui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegGuide.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\szace (Backdoor.Hupigon) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6b423c5b-9315-404e-96be-4ebeee8e1743} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9726072a-8039-4958-b609-565cf7a16b38} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{39c1640b-e010-48cf-88a1-0d17a33af9ea} (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e45c0ff6-b170-43b2-b897-6d02c43a2e18} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a9bcd26b-9efb-4718-a9db-67a61db76c77} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ec2b07dd-0051-405d-9c98-c8bbf9f27b9a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{704c3595-db85-40f6-a601-8d6f346907bd} (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{71c4f360-ff1e-413e-b17a-0ca267a78e97} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0d267113-499a-4eef-998d-c45731c1b313} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a23ca53c-731f-4033-92e8-c1dfb4e71d34} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{76b9ba7a-81d0-4979-8598-8471f2ab5186} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{122b901e-493f-4ad9-bc69-7de8c3e52fcc} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{76cbcf38-0583-44c7-a1ae-d463dfe625ec} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a0c86020-5935-4b87-b20e-0b656d450264} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e4814792-efa3-4c20-93d0-8b130a59f9a8} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fc8f4603-4ab2-4a0d-b17f-886cc8aaafd2} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{36ac68e6-0c26-4d39-b98e-54b49dab6baa} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{93da1e7d-7c46-4f90-8674-ec90511fca72} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a5ca6c70-7185-4466-ab45-b1c34e7a37ca} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{11b10f7f-fb23-466d-bdc3-9591cf02ec17} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{15882a2f-a06d-486e-8958-e84c86cbf273} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{37c5d66a-8b1b-4545-8112-3751194f6a4a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{50ebd6a5-0cf6-4e59-ae08-ccd991aa0596} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{fca4d3be-c6c7-4f4d-9cbd-cb2666647aca} (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{93f33500-527e-4e33-aeca-69b15243a90e} (Trojan.GamesThief) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{480f828b-3e98-426a-aebc-b4307df4771d} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f1c149f4-380c-4f8a-b87e-7393732b27c1} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ab900155-f1f0-4165-9e73-67bc13bbce89} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6b8fb03d-d56c-4d2a-a11a-5a28b9f3de06} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f8c6b7b5-dae0-4b78-bf2a-101c9a9cca27} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ac933d46-96a7-4670-9292-e7c4126c071e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{51f88a10-09e6-4763-948f-1c8861003255} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{cebb8f8a-308b-43e9-9789-b6fd6be1bd97} (Trojan.GamesThief) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.GamesThief) -> Data: c:\windows\system32\rdho94385.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.GamesThief) -> Data: system32\rdho94385.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\RDHO94385.dll (Trojan.GamesThief) -> Delete on reboot.
C:\WINDOWS\system32\READER_S.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\htrn_jis.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\MhaUKGazkr3fZZKp.Ttf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dfc8ac3ed7da.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\eCgMhGRkPUcdutd0.ttf (Spyware.OnlineGames) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 26 July 2009 - 02:34 PM

Please update MBAM and run another quick scan

If you can't access the online update thru the program then use this one

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#5 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 27 July 2009 - 03:31 AM

Thank you very much. I've updated the MBAM and scan my computer again. Then there is one more registry found. However the problem about COMRes.dll is still shown everytime when I open any programs. What should I do next?




Malwarebytes' Anti-Malware 1.39
Database version: 2507
Windows 5.1.2600 Service Pack 3

27/7/2552 7:50:10
mbam-log-2009-07-27 (07-50-10).txt

Scan type: Quick Scan
Objects scanned: 129106
Time elapsed: 2 hour(s), 15 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9d3e893f-55da-42bf-94ef-b634ab358a24} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 27 July 2009 - 06:39 AM

You may have to reload this computer

Please click here to download AVP Tool by Kaspersky.
http://ftp.kaspersky.com/devbuilds/AVPTool/

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.


System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.


Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.


Note: This tool will self uninstall when you close it so please save the log before closing it.
Chewy

No. Try not. Do... or do not. There is no try.

#7 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 29 July 2009 - 09:30 AM

I face the scan problem every time with the "ndis.sys". My PC cannot move on. What should I do?

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 29 July 2009 - 10:16 AM

Run an updated scan with MBAM, if you can update, but don't worry if you can't. One of the files you had before indicated a terminal infection, Virut, we need to confirm with something.
Chewy

No. Try not. Do... or do not. There is no try.

#9 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 02 August 2009 - 12:21 AM

Yes. I found another infected as below log. However my PC now send spam mail to everyone in my contact twice a week. Please help me.



Malwarebytes' Anti-Malware 1.39
Database version: 2542
Windows 5.1.2600 Service Pack 3

2/8/2552 12:14:01
mbam-log-2009-08-02 (12-13-42).txt

Scan type: Quick Scan
Objects scanned: 131258
Time elapsed: 2 hour(s), 24 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 02 August 2009 - 12:31 AM

I am afraid I am wasting both of our time.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Chewy

No. Try not. Do... or do not. There is no try.

#11 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 03 August 2009 - 03:35 AM

I've scanned with Kaspersky online already. But it can scan for only 25% of my computer. Kaspersky stop scan when they scan the Ndis.sys everytime. So I stop the scan and save the result to you as belowed. However Can Kaspersky delete the trojan found? Or cannot?


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, August 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, August 03, 2009 08:15:08
Records in database: 2576577
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 67667
Threat name: 1
Infected objects: 0
Suspicious objects: 1
Duration of the scan: 00:54:57


File name / Threat name / Threats count
C:\Program Files\Outlook Express\Hotmail - Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The scan was stopped by the user.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 03 August 2009 - 07:20 AM

One or more files with the name READER_S.EXE creates, deletes, copies or moves the following files and folders:

Creates c:\windows\system32\reader_s.exe
Creates c:\documents and settings\user\reader_s.exe
Creates c:\windows\system32\dllcache\ndis.sys
Creates c:\windows\system32\drivers\ndis.sys


http://www.prevx.com/filenames/X9564128780...DER5FS.EXE.html

Prevx won't remove it

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
Chewy

No. Try not. Do... or do not. There is no try.

#13 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 03 August 2009 - 11:36 PM

Thank you very much for your very best help.

From my understand, I should format the c:\ Drive ( OS drive ). I have some question.

1st : Can I keep the d:\ ( Data Drive ) ?
2nd : However I format the c:\ ( OS drive ) and reinstall the Windows again, My computer can still be infected, right?
3nd : I use the online banking too. After I format the c:\ ( OS drive ). I still have to change the banking password, right?
4nd : What should I do to clean my Laptop? Change the harddrive?
5nd : Last Choice, I have to give this Laptop to anyone I know. Or sell it to other people ?

However I still want to say thank you very much to you.

#14 pkritsada

pkritsada
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 August 2009 - 11:42 PM

Please confirm my upper question. Thank you very much.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 07 August 2009 - 12:15 AM

The D drive might be infected, you would have to reload to test and then scan it with a good AV if the reload worked.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users